Take the right steps 9 principles for building the RiskIntelligent Enterprise™

Contents

9 principles for building a Risk Intelligent Enterprise 2

The Risk Intelligent Framework 4

1. Is risk a threat or opportunity? 6

2. A risk framework that meets your needs 7

3. Coordinated, communicated risk management 8

4. A common language for all 9

5. Know your risk 10

6. Risk begins from the top 11

7. Risk ownership 12

8. The risk support team 13

9. The risk observer 14

Key Contacts 15

1

9 pr

inci

ples

for b

uild

ing

a R

isk

Inte

llige

nt E

nter

pris

e

2

The

Ris

k In

telli

gent

Fra

mew

ork

3

Principle #1: In a Risk Intelligent Enterprise, a common definition of risk, which addresses both value preservation and value creation, is used consistently throughout the organization.

Is risk a threat or opportunity?

Risk is often a topic of conversation that many businesses avoid. This is understandable because many people think of risk in terms of threats — bad things happening to the business.

But the discussion can flow freely if you consider the other side of risk, the one that applies to value creation— risk taking for reward.

Introducing new products, entering foreign markets, and acquiring competitors — all these are challenging ventures. If you do not manage the associated risks properly, you may not reap the potential rewards.

So consider adopting a more comprehensive definition of risk, one that gives equal weight to managing the risks related to growth and profitability.

4

Principle #2: In a Risk Intelligent Enterprise, a common risk framework supported by appropriate standards is used throughout the organization to manage risks.

A risk framework that meets your

needsRisk management in many organizations is fragmented and does not have a centralized view. This fragmented approach leads to duplicated risk management efforts and risk technology implementation, which also results in multiple sources of risk information.

For an enterprise risk management programme to be effective, it must be built around a framework. A risk framework — such as COSO ERM and ISO 31000 — allows for efficient risk-based decision making and provides a streamlined process for evaluating opportunities for your organization. It provides a structured guidance that helps you decide which opportunities to pursue and which threats to avoid.

The framework must therefore be robust to support your risk management objectives. It must accommodate your unique strategies, initiatives, and organizational structure. And it must be adaptable to your industry and regulatory requirements.

There is no need to over evaluate which risk framework to use. Just make sure it is somethingthat is able to meet your organization’s needs.

5

Principle #3: In a Risk Intelligent Enterprise, key roles, responsibilities, and authority relating to risk management are clearly defined within the organization.

Coordinated, communicated risk management

Done right, risk management is a coordinated effort, where multiple roles are involved simultaneously in an integrated manner.

Of course, there may be people in your organization who do not realize they have a role to play in risk management. Your product development manager, IT supervisor, or deputy vice president responsible for mergers and acquisitions probably considers risk management as somebody else’s responsibility.

To promote Risk Intelligence in your organization, it is essential to change that mindset. You will need clear communication at the individual level to convey what Risk Intelligence means, why it is important to the organization collectively and to employees individually, and what your people need to do on a daily basis.

This effort requires clear communications, a strong risk-focused culture, reward programmes that incorporate risk-related objectives, and learning programmes to promote intelligent risk management.

In brief, risk management needs to be a harmonious collaboration where:

• Theboardsetsthedirection.• Theexecutiveleadstheriskprogramme.• Thebusinessunitsworkasateamforasuccessful

implementation. • Certainfunctions(HR,finance,IT,legal,tax)support

the risk programme.• Otherfunctions(internalaudit,risk,andcompliance)

monitor the results.

6

Principle #4: In a Risk Intelligent Enterprise, a common risk management infrastructure is used to support the business units and functions in the performance of their risk responsibilities.

A common language for all

Risk specialists tend to behave like any social groups: They stick together. They share similar beliefs and habits. They develop their own set of rules.

However,itisessentialforriskspecialiststobreakawayfromtheirgroups.Riskdoesnotexistinisolation,sorisk managers cannot do so either.

To effectively and efficiently manage risks and reap the rewards, organizational silos must be bridged. In particular, a common risk infrastructure needs to be created. All the business units and functions should also use the same supporting risk technologies and processes where it is practical to do so.

The bridging process involves synchronizing — coordinating across boundaries within the organization, harmonizing — ensuring that risk managers all speak the same language and have a common definition for risk, and rationalizing — eliminating duplication of efforts.

The bridging process also involves the use of tools like The Risk Intelligence Map™ to facilitate your internal discussions. It may get you thinking and talking about risk in ways you have never envisioned. In addition, you should also draw upon your risk framework to help standardize your approach.

Common risk technology, measurement, processes, and terminology will provide the link to bridge all the business units and functions within the organization.

7

Principle #5: In a Risk Intelligent Enterprise, governing bodies (e.g., boards, audit committees, etc.) have appropriate transparency and visibility into the organization’s risk management practices to discharge their responsibilities.

Know your risk

Some boards of directors are not kept informed on how risk is being managed within the organization. This should obviously be avoided as board members have a fiduciary responsibility to ensure that management has appropriate processes in place to managerisk.Thisdutycannotbeexecutedwithouttheright knowledge.

To fulfill their responsibilities and to provide value, board members should:

•Putriskontheagenda.Maketimeforriskbeforeriskdemands it. Discussing risk at every board meeting is not too often.

•Examinethecurrentriskstructure.Howarerisksmanaged? Are risk silos being bridged?

•Reviewriskperiodicallywiththemanagementteam.Identify risks that will prevent the organization from executingitskeystrategies.

•Discussriskscenarios.Wheredothegreatestopportunitieslie?Whatcouldputastoptotheorganization’s ability to meet its strategic objectives?

•Checktheorganization’sriskappetite.Determinehow much risk the organization is able to take on. Howmuchisitwillingtotakeon?Andhowmuchisit actually taking on? Are these in line?

•Getreasonableassurance.Askthemanagementteam:Howconfidentareyou?Why?

•Getindependentreassurance.Conductaninternalauditorengageanexternalconsultanttoevaluatethe effectiveness of your risk management programme.

8

Principle #6: In a Risk Intelligent Enterprise, executive management is assigned with primary responsibility for designing, implementing, and maintaining an effective risk programme.

Risk begins from the top

Everyone has a responsibility for risk. But if you are a memberoftheexecutiveteam,thisresponsibilityiseven greater.

Asanexecutive,youhavethebenefitofleadershipandauthority.Youneedtoexercisethemtogetpeoplethinking about risk taking for reward, to push risk management through all the layers of the organization, tosetexpectations,toensureaccountability,toengagethe board, to drive change, and to establish a Risk Intelligent culture.

Thisisanambitiousagenda.Howcanyougetitalldone? Form a Risk Intelligence group — anexecutive-levelriskcommittee—tobringbetterriskinsights to your management team and help create a Risk Intelligence programme.

Insomeorganizations,akeymemberofthisexecutive-level Risk Intelligence group is the Chief Risk Officer (CRO).Sittingatthetablewithothertopexecutives,the CRO helps develop policy and common approaches that are rolled out to business units, communicates and monitors the organization’s risk appetite, and reports risk information to the management and board-level oversight functions.

The role of the CRO varies considerably and needs to match the requirements and risk philosophy of the organisation. Some may choose to take on the role of a business partner, a facilitator, or even a traffic police. Whatevertherole,youcanbesuretheriskprogrammeis their primary responsibility.

9

Principle #7: In a Risk Intelligent Enterprise, business units (departments, agencies, etc.) are responsible for the performance of their business and the management of risks they take within the risk framework established by executive management.

Risk ownership

So everyone is responsible for risk. But who “owns” it?

The ownership question causes plenty of confusion throughout organizations, so it might be helpful to state it in simple terms: If you own the business unit, you own the risk.

In other words, if you are accountable for the success of a business unit, you have primary responsibility for the day-to-day management of the risks associated with that unit. But this does not mean the other members of the business unit do not need to carry out their risk-related responsibilities.

Whatdoesriskownershipinvolve?Amongotherthings, risk owners have the responsibility to identify, measure, monitor, control, and report on risks to executivemanagement,promoteriskawareness,and reprioritize activities as dictated by effective risk analyzes.

Needless to say, risk owners must also abide by the rules and operate under certain constraints. For example,theydonotchoosetheframework—theylive within it. They do not determine the organization’s risk appetite — they stay within the level determined by the organization.

10

Principle #8: In a Risk Intelligent Enterprise, certain functions (e.g., finance, legal, IT, HR, etc.) have a widespread impact on the business and provide support to the business units as it relates to the organization’s risk programme.

The risk support team

Certain functions, including finance, legal, human resource(HR),tax,andIT,differfromthebusinessunitsin that they do not just own risk management — they also help support it.

Like the business units, these functions bear primary responsibility for the risk that originates within their operations. At the same time, they also have risk responsibilities that go beyond their functions.

Forexample,financewhotakestheleadoninternalcontrolauditrelatedriskmayhaveanextensiverisk assessment capability that can be leveraged by other functions. Other than taking the lead for technology related risk, IT can help other parts of thebusinessmonitorandmitigaterisks.WhileHR’sprimary responsibility is talent and staff risk, they can also identify risk areas of emerging concern through employeeengagementsurveys,andexitinterviewresults.

As these functions are present throughout the organization, they are usually tasked to develop and enforce company-wide policies, procedures, and controls that help mitigate risks. They support each business unit and help them understand their requirements for intelligent risk taking for reward. They collect key information for management and perform risk mitigation analyzes.

It is important that these key functions join the risk team with defined roles in the risk framework and by participating in risk committees and other key risk forums.

11

Principle #9: In a Risk Intelligent Enterprise, certain functions (e.g., internal audit, risk management, compliance, etc.) provide objective assurance as well as monitor and report on the effectiveness of an organization’s risk programme to governing bodies and executive management.

The risk observer

Whenitcomestoriskmanagement,certaingroupswithin the organizaions carry a unique role — namely, the internal audit, compliance, and risk management functions. Their key responsibility is to provide assurance that the internal control and risk structure operates effectively.

This role sets them apart from every other entity within the organization. They have no responsibility for setting and directing the operations of the business. Their role is to monitor and enhance the effectiveness of the organization’s risk management activities.

Specific roles and responsibilities of these groups vary from one organization to another. Some groups do far more than provide reassurance, while others are more restricted in their activities. The roles they can play include:

• Assessingthecurrentstateofriskmanagement,while providing the vision to help management identify future risks and opportunities.

• Determiningwhethertheorganizationistakingonrisk at a level that it is able to manage.

• Verifyingiftheorganizationisensuringthatriskisinteracting and descending at an appropriate level.

• Investigatingwaystoeliminateinefficienciesinriskmanagement.

• Gatheringsupportforresourcesrelatedtorisk-taking for reward, addressing risks associated with increasing profitability, and increasing shareholder value.

• Drawingattentiontoandgettingsupportforresources to address risk areas deemed insufficiently covered.

• Providingdeepknowledgeandexpertiseinkeyriskareas such as fraud.

• Gettinginvolvedincontrolrectificationanddesign, and helping to conduct and interpret risk assessments.

12

Key Contacts

AsiaPacificUantchern LohPartneruloh@deloitte.com+65 6216 3282

AustraliaRon Loborecrloborec@deloitte.com+61(02)93227163

ChinaDanny LauPartnerdanlau@deloitte.com+852 2852 1600

India Abhay GuptePartneragupte@deloitte.com+91(22)66810600

IndiaAbhay GuptePartneragupte@deloitte.com+91(22)66810600

JapanKeiichi KuboPartnerkkubo@deloitte.com+81(3)62131111

KoreaChan Hee HanPartnerchhan@deloitte.com+82(2)66761000

New ZealandFaris AzimullahPartnerfazimullah@deloitte.com+64 9303 0842

Southeast AsiaUantchern LohPartneruloh@deloitte.com+65 6216 3282

TaiwanScott LeePartnerscottlee@deloitte.com+886(2)25459988

13

Deloitteprovidesaudit,tax,consulting,andfinancialadvisoryservicestopublicandprivateclientsspanningmultipleindustries.Withagloballyconnectednetworkofmemberfirmsin140countries,Deloittebringsworld-classcapabilitiesanddeeplocalexpertisetohelpclientssucceedwherevertheyoperate.Deloitte’s165,000professionalsarecommittedtobecomingthestandardofexcellence.

Deloitte’s professionals are unified by a collaborative culture that fosters integrity, outstanding value to markets and clients, commitment to eachother,andstrengthfromculturaldiversity.Theyenjoyanenvironmentofcontinuouslearning,challengingexperiences,andenrichingcareer opportunities. Deloitte’s professionals are dedicated to strengthening corporate responsibility, building public trust, and making a positive impact in their communities.

DeloittereferstooneormoreofDeloitteToucheTohmatsu,aSwissVerein,anditsnetworkofmemberfirms,eachofwhichisalegallyseparateandindependententity.Pleaseseewww.deloitte.com/aboutforadetaileddescriptionofthelegalstructureofDeloitteToucheTohmatsu and its member firms.

This publication contains general information only, and none of Deloitte Touche Tohmatsu, its member firms, or its and their affiliates are, bymeansofthispublication,renderingaccounting,business,financial,investment,legal,tax,orotherprofessionaladviceorservices.Thispublication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your finances or your business. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser.

None of Deloitte Touche Tohmatsu, its member firms, or its and their respective affiliates shall be responsible for any loss whatsoever sustained by any person who relies on this publication.

© 2009 Deloitte Touche Tohmatsu